diff --git a/cmd/step/main.go b/cmd/step/main.go index 5031ddf9..0d55b18c 100644 --- a/cmd/step/main.go +++ b/cmd/step/main.go @@ -150,13 +150,13 @@ func panicHandler() { fmt.Fprintf(os.Stderr, "%s\n", step.Version()) fmt.Fprintf(os.Stderr, "Release Date: %s\n\n", step.ReleaseDate()) panic(r) - } else { - fmt.Fprintln(os.Stderr, "Something unexpected happened.") - fmt.Fprintln(os.Stderr, "If you want to help us debug the problem, please run:") - fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %s\n", strings.Join(os.Args, " ")) - fmt.Fprintln(os.Stderr, "and send the output to info@smallstep.com") - os.Exit(2) } + + fmt.Fprintln(os.Stderr, "Something unexpected happened.") + fmt.Fprintln(os.Stderr, "If you want to help us debug the problem, please run:") + fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %s\n", strings.Join(os.Args, " ")) + fmt.Fprintln(os.Stderr, "and send the output to info@smallstep.com") + os.Exit(2) } } diff --git a/command/certificate/p12.go b/command/certificate/p12.go index 68c45b24..47f182f8 100644 --- a/command/certificate/p12.go +++ b/command/certificate/p12.go @@ -1,7 +1,6 @@ package certificate import ( - "crypto/rand" "crypto/x509" "fmt" @@ -23,7 +22,7 @@ func p12Command() cli.Command { Action: command.ActionFunc(p12Action), Usage: `package a certificate and keys into a .p12 file`, UsageText: `step certificate p12 [] [] -[**--ca**=] [**--password-file**=]`, +[**--ca**=] [**--password-file**=] [**--legacy**]`, Description: `**step certificate p12** creates a .p12 (PFX / PKCS12) file containing certificates and keys. This can then be used to import into Windows / Firefox / Java applications. @@ -56,7 +55,15 @@ Package a certificate and private key with an empty password: ''' $ step certificate p12 --no-password --insecure foo.p12 foo.crt foo.key -'''`, +''' + +Package a certificate and private key using a legacy encoder, + +''' +$ step certificate p12 --legacy foo.p12 foo.crt foo.key +''' + +`, Flags: []cli.Flag{ cli.StringSliceFlag{ Name: "ca", @@ -69,6 +76,10 @@ multiple CAs or intermediates.`, Usage: `The path to the containing the password to encrypt the .p12 file.`, }, flags.NoPassword, + cli.BoolFlag{ + Name: "legacy", + Usage: "Encodes PKCS#12 files using the algorithms that were traditionally used, PBE+SHA1+RC2 for certificates and PBE+SHA1+3DES for keys.", + }, flags.Force, flags.Insecure, }, @@ -86,6 +97,11 @@ func p12Action(ctx *cli.Context) error { caFiles := ctx.StringSlice("ca") hasKeyAndCert := crtFile != "" && keyFile != "" + encoder := pkcs12.Modern + if ctx.Bool("legacy") { + encoder = pkcs12.LegacyRC2 + } + // If either key or cert are provided, both must be provided if !hasKeyAndCert && (crtFile != "" || keyFile != "") { return errs.MissingArguments(ctx, "key_file") @@ -150,7 +166,7 @@ func p12Action(ctx *cli.Context) error { // Any remaining certs will be intermediates for the server x509CAs = append(x509CAs, x509CertBundle[1:]...) - pkcs12Data, err = pkcs12.Encode(rand.Reader, key, x509Cert, x509CAs, password) + pkcs12Data, err = encoder.Encode(key, x509Cert, x509CAs, password) if err != nil { return errs.Wrap(err, "failed to encode PKCS12 data") } @@ -163,7 +179,7 @@ func p12Action(ctx *cli.Context) error { FriendlyName: fmt.Sprintf("%s - %s", cert.Subject.String(), x509util.Fingerprint(cert)), }) } - pkcs12Data, err = pkcs12.EncodeTrustStoreEntries(rand.Reader, certsWithFriendlyNames, password) + pkcs12Data, err = encoder.EncodeTrustStoreEntries(certsWithFriendlyNames, password) if err != nil { return errs.Wrap(err, "failed to encode PKCS12 data") } diff --git a/command/crypto/jwe/decrypt.go b/command/crypto/jwe/decrypt.go index c9ce1e27..cb02014b 100644 --- a/command/crypto/jwe/decrypt.go +++ b/command/crypto/jwe/decrypt.go @@ -48,7 +48,7 @@ used with **--jwks** (a JWK Set) the KID value must match the **"kid"** member o one of the JWKs in the JWK Set.`, }, cli.StringFlag{ - Name: "password-file", + Name: "password-file", Usage: `The path to the containing the password to encrypt the keys.`, }, }, diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go index 67e649e5..1be3da79 100644 --- a/command/oauth/cmd.go +++ b/command/oauth/cmd.go @@ -44,10 +44,12 @@ import ( // Google is also distributing the client ID and secret on the cloud SDK // available here https://cloud.google.com/sdk/docs/quickstarts const ( + //nolint:gosec // This is a client meant for open source testing. The client has no security access or roles. defaultClientID = "1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com" //nolint:gosec // This is a client meant for open source testing. The client has no security access or roles. defaultClientNotSoSecret = "udTrOT3gzrO7W9fDPgZQLfYJ" + //nolint:gosec // This is a client meant for open source testing. The client has no security access or roles. defaultDeviceAuthzClientID = "1087160488420-1u0jqoulmv3mfomfh6fhkfs4vk4bdjih.apps.googleusercontent.com" //nolint:gosec // This is a client meant for open source testing. The client has no security access or roles. defaultDeviceAuthzClientNotSoSecret = "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" diff --git a/go.mod b/go.mod index c595a947..117aa1ec 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( golang.org/x/term v0.15.0 google.golang.org/protobuf v1.31.0 gopkg.in/square/go-jose.v2 v2.6.0 - software.sslmate.com/src/go-pkcs12 v0.2.1 + software.sslmate.com/src/go-pkcs12 v0.4.0 ) require ( diff --git a/go.sum b/go.sum index 11426c63..49ff8c64 100644 --- a/go.sum +++ b/go.sum @@ -613,5 +613,5 @@ howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM= howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -software.sslmate.com/src/go-pkcs12 v0.2.1 h1:tbT1jjaeFOF230tzOIRJ6U5S1jNqpsSyNjzDd58H3J8= -software.sslmate.com/src/go-pkcs12 v0.2.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= +software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= +software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=